Export of personal data from a data controller who is subject to E.U. privacy regulations to a U.S. based destination

Direct / indirect relevance

Direct. Entities wishing to accede to the Safe Harbor are required to assess security measures with regard to data processing and to take the required security precautions.

Scope:

Voluntary adherence by the affected U.S. entities

Legal force:

Voluntary self-certification. The voluntary character is relative, since the data controller must comply with E.U. privacy regulations, but alternative methods of compliance (such as the model clauses discussed below) exist.

Affected sectors:

Generic export of personal data to a U.S. entity

Relevance to RM/RA:

Before personal data may be exported from an entity subject to E.U. privacy regulations to a destination subject to U.S. law, the European entity must ensure that the receiving entity provides adequate safeguards to protect such data against a number of mishaps.

One way of complying with this obligation is to require the receiving entity to join the Safe Harbor, by requiring that the entity self-certifies its compliance with the so-called Safe Harbor Principles. If this road is chosen, the data controller exporting the data must verify that the U.S. destination is indeed on the Safe Harbor list (see http://web.ita.doc.gov/safeharbor/shlist.nsf/webPages/safe+harbor+list)

References

The European Union Agency for Network and Information Security (ENISA) is a centre of expertise for cyber security in Europe.

ENISA is contributing to a high level of network and information security (NIS) within the European Union, by developing and promoting a culture of NIS in society to assist in the proper functioning of the internal market.